You're in! Now, check your inbox...

What is SAMSAM?

SAMSAM (Version 4), also known as MSIL/Samas.A, is a ransomware strain that shares analyses of vulnerabilities on the dark web that cyber actors then use to deploy the ransomware on a network.

How does SAMSAM work?

According toMalwareBytes Labs, SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Attacks were made on targets via vulnerable JBoss host servers during a previous wave of SamSam attacks in 2016 and 2017. In 2018, SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network or brute force against weak passwords to obtain an initial foothold. From there, the ransomware “fun and games” begin for the authors. For everyone else, it’s chaos.

A common thread tying all of these attacks together is the use of the word “sorry” in ransom notes, URLs, and even infected files. It’s made hundreds of thousands of dollars so far, and it’s caused no end of trouble in the US for cities like Atlanta.

I see a ransom note screen on my computer. How do I know it’s SAMSAM?

The ransom note is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment.

“

In the above ransom note, the hackers demand 0,8 Bitcoins to recover the decryption key for each affected PC – this is about R 43 000 per PC!

x“

According to Symantec’s Security Centre, SAMSAM adds the following extension to the files it encryps:.encryptedRSA

What else can I do to protect my systems from ransomware like SAMSAM in the future?

Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.

Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.

Minimise network exposure for all control system devices. Where possible, disable RDP on critical devices.

Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.